How does inSync use the MDM Push certificate and MDM profiles?

The Apple MDM Push certificate is needed by the inSync server to send notifications to the managed iOS mobile device for triggering backup and remotely wiping data. inSync uses the Apple Push Notification (APN) service to communicate with the mobile device.

Each iOS device managed by inSync is prompted to install the inSync MDM profile when the Device Protection feature is activated.

Apple Push Notification servers talk to only known entities that identify themselves with the help of the APN certificate and a private key. When the APN server gets a request related to decommissioning of a device from the inSync server, it will first verify the APN certificate and private key before passing on the decommission command to the device.

Devices keep polling the APN server for commands.

When the APN server passes on the inSync decommission request to the device, it will check whether the MDM profile installed carries the same identity that Apple verified while talking to inSync server (Apple Push Certificate). If they match, the device takes the command otherwise it discards it.

The profile has the SSL certificate details in it as well.

The device starts talking to the server specified in the profile (inSync server). When the inSync server sends a wipe-off request, the device carries out the request after verifying its authenticity.

Why does the inSync iOS mobile app need an MDM profile?

An MDM (Mobile Device Management) profile installed on an iOS device enables that device to be remotely managed by an IT administrator. The administrator can remotely enforce enterprise-wide security policies using an MDM profile.

The inSync Device Protection feature requires the MDM profile of the organization to be installed on the device. This enables the administrator to remotely wipe off sensitive data in case the iOS device is lost or stolen. It also enables the inSync server to trigger backups on the device periodically.

How does an organization using inSync for mobiles obtain an Apple MDM push certificate?

If the IT administrator of an enterprise wants to use the inSync "Decommission" feature working on the enterprise’s iOS devices, the following requirements have to be met.

The organization needs to have an Apple MDM Push certificate installed on their inSync server. This certificate enables the inSync server to communicate with the mobile devices using the Apple Push Notification (APN) service. The devices need to have the inSync MDM profile installed on them in order to respond to the requests sent by the inSync server.

To obtain an Apple MDM Push Certificate:

1. The customer’s IT administrator creates a CSR (Certificate Signing Request) using the organization's private key. (The key that was used to get an SSL certificate for the customer’s domain.)

2. He sends this CSR to Druva Support to get it signed by Druva's private key.

3. Druva Support will send the signed CSR back to the customer.

4. The IT administrator will upload this to Apple's Pushcert portal.

5. Apple's Pushcert portal will provide "Apple MDM Push Certificate".

6. The IT Admin uploads it to their inSync web panel, along with the private key (private key and certificate in a single file).

The IT Admin also needs to install a SSL certificate that is used to communicate between the server and the mobile devices.

This SSL can be the same as the one uploaded for Web-Panel. Or inSync will automatically generate a self-signed certificate. The SSL is either generated by inSync as self-signed or the customer may put his own domain certificate, which is valid for his/her domain, like " *.druva.com". The certificates can be the one issued by Third-Parties like Verisign, Register.com, GoDaddy.

Why does the inSync iOS mobile app need access to the location service of the device?

The inSync application needs access to the location services of the iOS device for device protection features. A device can be traced to its current location using inSync, which requires the location service.